This is the first time that President Donald Trump’s Justice Department has filed official charges against members
of a Russian government agency for taking actions intended to influence the outcome of the 2016 presidential
campaign—though Rosenstein was careful to assert that there was no allegation that votes were changed by this
operation. The indictment details match up with much of what we’ve already learned about the information
operations campaign run by the GRU. But the new findings went further, comfortably identifying each person
behind the various elements of the campaign, from the first spear phish to the final data theft, reports Ars Technica.

How they did it

This is a story about how they did it (and will likely try again): GRU hackers vs. US elections. Latest Mueller
indictment offers excruciating details to confirm known election pwnage. GRU officers(picture) scanned networks
at the Democratic National Committee Headquarters in Washington, DC, shown here during a January 2017
protest, and gathered information on its systems and service providers.

Press Briefing

In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury
assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia’s Main
Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel’noye upravleniye, or
GRU). The indictment was for conducting «active cyber operations with the intent of interfering in the 2016
presidential election.» The filing [PDF] spells out the Justice Department’s first official, public accounting of the
most high-profile information operations against the US presidential election to date. It provides details down to the
names of those alleged to be behind the intrusions into the networks of the Democratic National Committee and the
Democratic Congressional Campaign Committee, the theft of emails of members of former Secretary of State
Hillary Clinton’s presidential campaign team, and various efforts to steal voter data and undermine faith in voting
systems across multiple states in the run-up to the 2016 election.

Members of the Green Party protest outside of the Democratic National Committee Headquarters in Washington DC, in Washington DC, on January 19, 2017. Inaugural Parade follows the new U.S. President Donald Trump and Vice President Mike Pence on the 1.5-mile journey from the U.S. Capitol to the White House on Pennsylvania Ave, following their swearing-in ceremony, continuing a tradition that began with President Thomas Jefferson in 1801. (Photo by Zach D Roberts/NurPhoto via Getty Images)

GRU and WikiLeaks

The allegations are backed up by data collected from service provider logs, Bitcoin transaction tracing, and
additional forensics. The DOJ also relied on information collected by US (and likely foreign) intelligence and law
enforcement agencies. Reading between the lines, the indictment reveals that the Mueller team and other US
investigators likely gained access to things like Twitter direct messages and hosting company business records and
logs, and they obtained or directly monitored email messages associated with the GRU (and possibly WikiLeaks).
It also appears that the investigation ultimately had some level of access to internal activities of two GRU offices.

Expressed Doubt

Yet, after a summit meeting with Russia’s President Vladimir Putin just days following the indictment, Trump
publicly expressed doubt that Russia was involved. The president has said that Putin strongly denied any
interference in the election—even as the United States’ own director of national Iintelligence, Dan Coats,
reiterated the conclusion that Russia was responsible for the attacks. With such rhetoric, Trump has continued to
send mixed messages about the findings of his own intelligence and law enforcement teams, while seeming to put more stock in Putin’s insistence that the Russian government had nothing to do with any of this.

No very good call

After digging into this latest indictment, the evidence suggests Trump may not have made a very good call on this
matter. But his blaming of the victims of the attacks for failing to have good enough security, while misguided, does
strike on a certain truth: the Clinton campaign, the DNC, and DCC were poorly prepared for this sort of attack,
failed to learn lessons from history, and ignored advice from some very knowledgeable third parties they enlisted
for help.

GRU Organization

The indictment includes a significant amount of detail about the organizational structure of the GRU units allegedly
involved in the wide-ranging information operations during the US presidential election. The source of the
attribution is not revealed in the indictment. However, the level of detail—including when certain individuals
connected to remote applications—indicates that US intelligence and law enforcement officials were working with
more than just the forensic data provided by CrowdStrike. Trump’s «where’s the server?» protests seem even less
well grounded in reality than they did before. The details in the newest indictment get down to the organizational
division of labor at GRU. «There was one unit that engaged in active cyber operations by stealing information,»
said Rosenstein, «and a different unit that was responsible for disseminating the stolen information.»

The Military Russian intelligence organization GRU has been involved in espionage against the Democrats( Photo: GRU)

Phinishing Campaign
The espionage operation was run by Unit 26165, commanded by GRU Officer Viktor Borisovich Netykshko. Unit 26165 appears to be the organization behind at least part of the «threat group» of tools, techniques, and procedures known as «Fancy Bear,» «Sofacy,» «APT28,» and «Sednit.» Within the unit, two divisions were involved in the breaches: one specializing in operations and the second in development and maintenance of hacking tools and infrastructure.

The operations division, supervised by Major Boris Alekseyevich Antonov, specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials. Antonov’s group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev, according to the indictment, and they were responsible for targeting the email accounts that were exposed on the «DCLeaks» site prior to the election operations.

Wanted to take Control

The second division, overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev, managed the development and maintenance of malware and hacking tools used by Unit 26165, including the X-Agent «implant.» X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows, MacOS, Android, and iOS. The Windows and MacOS versions of X-Agent are capable of recording keystrokes, taking screenshots, and exfiltrating files from infected systems back to a command and control server.

Hacker Monikers

Lieutenant Captain Nikolay Kozacheck (who used the hacker monikers «kazak» and «blablabla1234465») was the primary developer and maintainer of X-Agent, according to the indictment, and he was assisted by another officer,

Pavel Yershov, in preparing it for deployment. Once X-Agent was implanted on the DNC and DCCC networks,

Second Lieutenant Artem Malyshev (AKA «djangomagicdev» and «realblatr») monitored the implants through the